V-213535

Discussion

The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents non-privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker or functionality and information needed to further the attack on the application server. JBoss is designed to operate with separate application and management interfaces. The JBoss server is started via a script. To start the JBoss server in domain mode, the admin will execute the <JBOSS_HOME>/bin/domain.sh or domain.bat script. To start the JBoss server in standalone mode, the admin will execute <JBOSS_HOME>/bin/standalone.bat or standalone.sh. Command line flags are used to specify which network address is used for management and which address is used for public/application access.

Check Content

If JBoss is not started with separate management and public interfaces, this is a finding.

Review the network design documents to identify the IP address space for the management network.  

Use relevant OS commands and administrative techniques to determine how the system administrator starts the JBoss server.  This includes interviewing the system admin, using the "ps -ef|grep" command for UNIX like systems or checking command line flags and properties on batch scripts for Windows systems.  

Ensure the startup syntax used to start JBoss specifies a management network address and a public network address.

The "-b" flag specifies the public address space.
The "-bmanagement" flag specifies the management address space.

Example:
<JBOSS_HOME>/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25

If JBoss is not started with separate management and public interfaces, this is a finding.